docs(node): align firewall defaults with single-node 5432 overrides

Author: Vonng

content/docs/about/release.md

@@ -412,7 +412,7 @@ all:
     # NODE_SEC
     #-----------------------------------------------------------------
     node_selinux_mode: permissive     # set selinux mode: enforcing,permissive,disabled
-    node_firewall_mode: zone          # firewall mode: none (skip), off (disable), zone (enable & config)
+    node_firewall_mode: zone          # firewall mode: zone (default), off (disable), none (skip & self-managed)
     node_firewall_intranet:           # which intranet cidr considered as internal network
       - 10.0.0.0/8
       - 192.168.0.0/16
@@ -421,7 +421,6 @@ all:
       - 22                            # enable ssh access
       - 80                            # enable http access
       - 443                           # enable https access
-      - 5432                          # enable postgresql access (think twice before exposing it!)
 
     #-----------------------------------------------------------------
     # NODE_TUNE

content/docs/conf/yaml/demo/debian.yml

@@ -419,7 +419,7 @@ all:
     # NODE_SEC
     #-----------------------------------------------------------------
     node_selinux_mode: permissive     # set selinux mode: enforcing,permissive,disabled
-    node_firewall_mode: zone          # firewall mode: none (skip), off (disable), zone (enable & config)
+    node_firewall_mode: zone          # firewall mode: zone (default), off (disable), none (skip & self-managed)
     node_firewall_intranet:           # which intranet cidr considered as internal network
       - 10.0.0.0/8
       - 192.168.0.0/16
@@ -428,7 +428,6 @@ all:
       - 22                            # enable ssh access
       - 80                            # enable http access
       - 443                           # enable https access
-      - 5432                          # enable postgresql access (think twice before exposing it!)
 
     #-----------------------------------------------------------------
     # NODE_TUNE

content/docs/conf/yaml/demo/el.yml

@@ -165,7 +165,7 @@ all:
     repo_remove: true                 # remove existing repo on admin node during repo bootstrap
     node_repo_remove: true            # remove existing node repo for node managed by pigsty
     #node_selinux_mode: enforcing     # set selinux mode: enforcing,permissive,disabled
-    node_firewall_mode: zone          # firewall mode: none (skip), off (disable), zone (enable & config)
+    node_firewall_mode: zone          # firewall mode: zone (default), off (disable), none (skip & self-managed)
 
     repo_extra_packages: [ pg18-main ] #,pg18-core ,pg18-time ,pg18-gis ,pg18-rag ,pg18-fts ,pg18-olap ,pg18-feat ,pg18-lang ,pg18-type ,pg18-util ,pg18-func ,pg18-admin ,pg18-stat ,pg18-sec ,pg18-fdw ,pg18-sim ,pg18-etl]
     pg_version: 18                    # default postgres version

content/docs/conf/yaml/ha/safe.yml

@@ -299,6 +299,7 @@ all:
     #==========================================================#
     node_id_from_pg: true             # use nodename rather than pg identity as hostname
     node_tune: tiny                   # use small node template
+    node_firewall_mode: zone          # default: trust intranet, expose selected public ports
     node_timezone: Asia/Hong_Kong     # use Asia/Hong_Kong Timezone
     node_dns_servers:                 # DNS servers in /etc/resolv.conf
       - 10.10.10.10

content/docs/conf/yaml/ha/simu.yml

@@ -148,6 +148,7 @@ all:
     #node_repo_modules: local             # use this if you want to build & user local repo
     node_repo_remove: true                # remove existing node repo for node managed by pigsty
     #node_packages: [openssh-server]      # packages to be installed current nodes with the latest version
+    node_firewall_public_port: [22, 80, 443, 5432]    # expose 5432 for demo convenience, remove in production!
 
     #----------------------------------------------#
     # PGSQL : https://pigsty.io/docs/pgsql/param
@@ -217,4 +218,4 @@ all:
     haproxy_admin_password: pigsty
     minio_secret_key: S3User.MinIO
     etcd_root_password: Etcd.Root
-...
+...

content/docs/conf/yaml/meta.yml

@@ -58,8 +58,8 @@ all:
     node_repo_modules: node,infra,pgsql # add these repos directly to the singleton node
     node_packages: [ openssh-server, juicefs, restic, rclone, uv, opencode, golang, asciinema, tmux ]
     docker_enabled: true                # enable docker service
-    node_firewall_mode: none            # change to 'zone' to enable firewall
-    node_firewall_public_port: [22, 80, 443, 5432]    # add custom public ports
+    node_firewall_mode: zone            # default: trust intranet, expose selected public ports
+    node_firewall_public_port: [22, 80, 443, 5432]    # expose 5432 for remote access, remove in production!
     #docker_registry_mirrors: ["https://docker.1panel.live","https://docker.1ms.run","https://docker.xuanyuan.me","https://registry-1.docker.io"]
 
     #----------------------------------------------#

content/docs/conf/yaml/vibe.yml

@@ -164,17 +164,17 @@ After changing the password, use the following to reload config (hot reload, no
 Pigsty uses [`node_firewall_mode`](/docs/node/param#node_firewall_mode) to control firewall behavior.
 Uses **firewalld** on RHEL/Rocky and **ufw** on Debian/Ubuntu.
 
-By default, this is `none` - existing firewall config is untouched and left to the user.
-Set to `zone` to enable the system firewall.
+By default, this is `zone`: Pigsty enables the system firewall consistently across distros with an "intranet trusted, public minimized" policy.
 In zone mode, intranet traffic is unrestricted, but external access is limited to specific ports.
+Set `node_firewall_mode: none` only when you want to fully self-manage firewall state and rules.
 This is especially important when deploying on cloud servers exposed to the internet.
 
 We recommend opening only necessary ports: 22 (SSH), 80/443 (HTTP/HTTPS) are essential. Be cautious about exposing port 5432 (PostgreSQL).
 
 
-### Enable Firewall
+### Apply Firewall Rules
 
-Set `node_firewall_mode` to `zone` to enable firewall with trusted zone config:
+`zone` is already the default. If you previously set `none/off`, set it back to `zone` and apply:
 
 ```yaml
 node_firewall_mode: zone              # enable firewall with zone rules
@@ -288,4 +288,3 @@ sudo ufw disable
 ```
 {{% /tab %}}
 {{< /tabpane >}}
-

content/docs/node/admin.md

@@ -80,9 +80,9 @@ The [NODE](/docs/node) module tunes target nodes into the desired state and inte
 | Parameter                                                       |    Type     |  Level  | Description                                          |
 |:----------------------------------------------------------------|:-----------:|:-------:|:-----------------------------------------------------|
 | [`node_selinux_mode`](#node_selinux_mode)                       |   `enum`    |   `C`   | SELinux mode: disabled, permissive, enforcing        |
-| [`node_firewall_mode`](#node_firewall_mode)                     |   `enum`    |   `C`   | firewall mode: none, off, zone                       |
+| [`node_firewall_mode`](#node_firewall_mode)                     |   `enum`    |   `C`   | firewall mode: zone (default), off, none (self-managed) |
 | [`node_firewall_intranet`](#node_firewall_intranet)             |  `cidr[]`   |   `C`   | intranet CIDR list for firewall rules                |
-| [`node_firewall_public_port`](#node_firewall_public_port)       |  `port[]`   |   `C`   | public exposed port list, default [22, 80, 443, 5432]|
+| [`node_firewall_public_port`](#node_firewall_public_port)       |  `port[]`   |   `C`   | public exposed port list, default [22, 80, 443]      |
 
 [`NODE_ADMIN`](#node_admin) section configures admin user, data directory, and shell aliases.
 
@@ -687,7 +687,7 @@ Node security related parameters, including SELinux and firewall configuration.
 
 ```yaml
 node_selinux_mode: permissive             # selinux mode: disabled, permissive, enforcing
-node_firewall_mode: none                  # firewall mode: none (skip), off (disable), zone (enable & config)
+node_firewall_mode: zone                  # firewall mode: zone (default), off (disable), none (skip & self-managed)
 node_firewall_intranet:           # which intranet cidr considered as internal network
   - 10.0.0.0/8
   - 192.168.0.0/16
@@ -696,7 +696,6 @@ node_firewall_public_port:        # expose these ports to public network in (zon
   - 22                            # enable ssh access
   - 80                            # enable http access
   - 443                           # enable https access
-  - 5432                          # enable postgresql access (think twice before exposing it!)
 ```
 
 
@@ -727,17 +726,17 @@ Also, SELinux mode changes may require a system reboot to fully take effect.
 
 name: `node_firewall_mode`, type: `enum`, level: `C`
 
-Firewall running mode. Default is `none`.
+Firewall running mode. Default is `zone`.
 
 Options:
 
-* `none`: Do nothing, maintain existing firewall rules unchanged (default)
+* `zone`: Enable firewall and configure rules: trust intranet, only open specified ports to public (default)
 * `off`: Turn off and disable firewall (equivalent to old version's `node_disable_firewall: true`)
-* `zone`: Enable firewall and configure rules: trust intranet, only open specified ports to public
+* `none`: Do not manage firewall state/rules; fully self-managed by user
 
-Uses `firewalld` service on EL systems, `ufw` service on Debian/Ubuntu systems.
+Uses `firewalld` service on EL systems, `ufw` service on Debian/Ubuntu systems. To align behavior across distros, Pigsty now defaults to `zone`: firewall enabled by default, intranet trusted, and public access limited to [`node_firewall_public_port`](#node_firewall_public_port).
 
-If you're deploying in a completely trusted intranet environment, or using cloud provider security groups for access control, you can use the default `none` mode to keep existing firewall configuration, or set to `off` to explicitly disable the firewall.
+If you need full manual firewall control (for example, relying only on cloud security groups or enterprise firewall policies), set `node_firewall_mode` to `none`. Use `off` only when you explicitly want to disable the system firewall.
 
 Production environments with public network exposure should use `zone` mode with [`node_firewall_intranet`](#node_firewall_intranet) and [`node_firewall_public_port`](#node_firewall_public_port) for fine-grained access control. The `zone` mode will enable the firewall if not already running.
 
@@ -769,26 +768,25 @@ Hosts within these CIDR ranges will be treated as trusted intranet hosts with mo
 
 name: `node_firewall_public_port`, type: `port[]`, level: `C`
 
-Public exposed port list. Default is `[22, 80, 443, 5432]`.
+Public exposed port list. Default is `[22, 80, 443]`.
 
 This parameter defines ports exposed to public network (non-intranet CIDR). Default exposed ports include:
 
 * `22`: SSH service port
 * `80`: HTTP service port
 * `443`: HTTPS service port
-* `5432`: PostgreSQL database port
 
-You can adjust this list according to actual needs. For example, if you don't need to expose the database port externally, remove `5432`:
+You can adjust this list according to actual needs. For example, if you need to expose PostgreSQL to public network, explicitly add `5432`:
 
 ```yaml
-node_firewall_public_port: [22, 80, 443]
+node_firewall_public_port: [22, 80, 443, 5432]
 ```
 
 PostgreSQL default security policy in Pigsty only allows administrators to access the database port from public networks.
 If you want other users to access the database from public networks, make sure to correctly configure corresponding access permissions in PG/PGB HBA rules.
 
-If you want to expose other service ports to public networks, you can also add them to this list.
-If you want to tighten firewall rules, you can remove the 5432 database port to ensure only truly needed service ports are exposed.
+If you want to expose other service ports to public networks, you can add them to this list.
+Always keep the minimum-exposure principle and open only ports you really need.
 
 Note that this parameter only takes effect when [`node_firewall_mode`](#node_firewall_mode) is set to `zone`.
 

content/docs/node/param.md

@@ -64,6 +64,6 @@ Avoid exposing internal component ports directly to the public internet: `etcd`
 
 ```yaml
 node_firewall_mode: zone
-node_firewall_public_port: [22, 80, 443, 5432]
+node_firewall_public_port: [22, 80, 443]
+# node_firewall_public_port: [22, 80, 443, 5432]  # only if public DB access is required
 ```
-